HSTS and EZproxy

Symptom

Users experience connection errors when attempting to access HTTP-only databases through EZproxy.

Common browser error messages include NET::ERR_CERT_COMMON_NAME_INVALID or strict transport security warnings. You may also occasionally see a 401 Unauthorised error.

 

 

Applies to

EZproxy sites that have enabled HTTP Strict Transport Security (HSTS) on their EZproxy domain.

How to check if HSTS is enabled on your domain:

  1. Open Google Chrome and navigate to chrome://net-internals/#hsts.
  2. Enter your EZproxy domain name in the Query HSTS/PKP domain search field.
  3. Click Query.
  4. If the result returns "Found" followed by output data, HSTS is active on your site.
Resolution

EZproxy is compatible with HTTP Strict Transport Security (HSTS). However, errors occur because of the proxied content,

If an HSTS policy is applied globally, it forces all traffic to use HTTPS. If a proxied vendor site only supports HTTP, EZproxy cannot force it to become HTTPS, resulting in connection errors. It is not possible to selectively disable an HSTS policy for specific proxied content.

 

Secure EZproxy pages
To apply HSTS and other security headers exclusively to files served directly by EZproxy (such as login.htm), add the following lines to your config.txt file:

HTTPHeader -server Cache-Control "no-store, no-cache, must-revalidate"
HTTPHeader -server Cache-Control "post-check=0, pre-check=0"
HTTPHeader -server Expires "0"
HTTPHeader -server Strict-Transport-Security "max-age=31536000"
HTTPHeader -server X-Content-Type-Options "nosniff"

 

Solutions for Proxied Content
If you choose to apply HSTS across your entire EZproxy domain, you must manage your HTTP-only resources carefully:

Refer to: https://help-it.oclc.org/Library_Management/EZproxy/Configure_resources/ProxyHostnameEdit for more information.

 

 

Page ID
47246